I don't know if you could help me with following problem:
I developed application for signing PDF docs using your component for .NET, and on my PC with certificates from my local store everything worked fine, but when I installed application on server which uses ncipher HSM form cryptographic operations, it started producing documents which Acrobat Reader cannot verify.
Error is: "Error encountered while BER decoding".
It seems it can find certificate in store, but it can't use it. Why it doesn't throw error, I don't know.
Thanks,

1) please dont crosspost the questions to forum and helpdesk.
2) the issue is Acrobat specific. Unfortunately, their support is next to absent, and this means that if something doesn't work, there will be no fixes or workarounds.

Let's try to find out, what exactly causes Acrobat to fail. First of all, the everything seems to work if the certificate is in the local store, right?
What happens if you use *the same* certificate on the server (with hardware module)?

just to let you know that I discovered that I can correctly sign PDF with certificate from current user store but not from Local System store.
My code for using Local System store is:
SystemStore.AccessType = TSBStorageAccessType.atLocalMachine;
SystemStore.SystemStores.BeginUpdate();
try
{
SystemStore.SystemStores.Clear();
SystemStore.SystemStores.Add("MY");
}
When I removed: SystemStore.AccessType = TSBStorageAccessType.atLocalMachine
then I correctly signed pdf with certificate from user store.
Can you help me to use Local System store?

Please check that your key is exportable. If the key is not exportable, and your application is a service, then CryptoAPI will give a warning window (saying that someone accesses the private key), which is not visible to the client, and signing won't work. The same goes for Web Applications.

Similar topic has been discussed just a couple of days ago in this forum.

I have an identical problem and having the private key in the local machine store exportable did solve the issue.
However, sometimes the key can't be made exportable (for example if it is stored in an HSM).
Why does the private key needs to be exportable ?

The situation that I have is that a non service application uses a machine private key stored in the regular microsoft capi provider.
Although signing seems OK acrobat complains about 'invalid ber...'
If the problem is getting access to the private key then shouldn't I see a dialog pop up asking for access to the key or at least get an exception from the signing operation ?

Just want to add that the very same machine stored private key is used by c++ code in a service application that uses it (through capi) to perform s/mime signatures (CryptSignMessage etc.) so that key does not require user authorization

What you are talking about is a completely different problem.
Acrobat is dumb when it comes to error messages and their meanings. The "Invalid BER encoding" error can mean anything, from the signature Acrobat can't parse, to certificate extension that Acrobat doesn't understand. Please try signing with some other certificate or with the same certificate but with exportable key.

Also you might want to try different signature types - pkcs1 and pkcs7 (pstX509RSASHA1 and pstPKCS7SHA1 values for TElPDFPublicKeySecurityHandler.SignatureType property).

The difference in the signing process with exportable and non-exportable keys is that with exportable keys, SecureBlackbox performs all cryptographic operations. With non-exportable keys, SecureBlackbox asks CryptoAPI (or PKCS#11 driver) to perform SignHash operation. The result can be different, for example when some library puts the leading zero when it's not needed (or vice versa).

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.